b'                                                                       United States Department of State\n                                                                       and the Broadcasting Board of Governors\n\n                                                                       Office of Inspector General\n\n                                                                                 JUN 11 2014\n\n\n\n\nMEMORANDUM\n\nTO:               A - Joyce A. Barr\n                  CGFS - Christopher H. F laggs, ~;--/~\n\nFROM:             OIG/AUD - Norman P. Brown\n\nSUBJECT:          Report on F Y 2013 Risk Assessment o.fTravel and Purchase Card Programs at\n                  the Department ofState (AUD-CG-14-27)\n\nThe Government Charge Card Abuse Prevention Act of 201 2 1 (the Act) requires the Office of\nInspector General (OIG) to conduct periodic assessments of agency purchase and travel card\nprograms that identify and analyze risks of illegal, improper, or erroneous purchases and\npayments for use in determining the scope, frequency, and number of periodic aud its of these\nprograms. The FY 2013 risk assessment was the first such review conducted of the travel and\npurchase card programs of the Department of State (Department). Travel and purchase card\nprogram size, internal controls, training, reported violations, 2 previous OIG audits, and OIG\nOffice of Investigations (OIG/INV) forensic audit observations were considered in assessing the\nrisks.\n\nThe risk assessment was not an audit and therefore not conducted in accordance with generally\naccepted government auditing standards. The results of the risk assessment should not be\ninterpreted to conclude that travel and purchase card programs with lower risk are free of illegal,\nimproper, or erroneous use or internal control deficiencies. Conversely, a higher-risk program\nmay not necessarily signify illegal, improper, or erroneous use- only that conditions are\nconducive to those activities. Regardless of the risk assessment results, if the travel and purchase\ncard programs were to be audited, a team may identify such issues tlu\xc2\xb7ough independent testing\nof travel and purchase card data. For example, a purchase card program may be found to be\n"very low ri sk" based on documentation and other information provided by agency officials, the\nnumber of cardholders, and the total amount of purchase card expenditures. However, an audit\nof that purchase card program may determine that the controls outlined in an agency \'s policy are\nnot being followed and that illegal, improper, or erroneous activity is occurring. The risk\nassessment was designed to identify the programs where the OIG Office of Audits should focus\nits limited resources.\n\n\n1\n Pub. L. No. 11 2-194 .\n2\n Repo1ted violations are app licable only to purchase card programs. Violations are required to be reported if the\nagency spends more than $1 0 million annually.\n\n\n                                               UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\nThe results of the assessment show that the risk of illegal, improper, or erroneous use in the\nDepartment\xe2\x80\x99s travel card program is \xe2\x80\x9cvery high,\xe2\x80\x9d and as a result, an audit of the Department\xe2\x80\x99s\ntravel card program has been recommended for inclusion in the OIG FY 2015 annual audit plan.\nThe Department\xe2\x80\x99s purchase card program was rated \xe2\x80\x9cmedium\xe2\x80\x9d and was not recommended for\naudit consideration in FY 2015. 3\n\n                                       Scope and Methodology\n\nOIG\xe2\x80\x99s Office of Audits performed this risk assessment from March to May 2014. The objective\nwas to assess the risk of illegal, improper, and erroneous use of the purchase and travel card\nprograms to determine the scope, frequency, and number of audits recommended to be\nconducted. The assessment was conducted using industry standard principles for risk\nmanagement. 4 The risk assessment was conducted by Melinda M. Perez, Director, Contracts and\nGrants Division, and Beverly J.C. O\xe2\x80\x99Neill, Audit Manager, Contracts and Grants Division.\n\nAssessment Criteria\n\nTo conduct the risk assessment, OIG reviewed FY 2013 charge card data, documentation, and\ninformation provided by Department officials; however, OIG did not independently verify or\nvalidate the data obtained. We assessed the travel card program based on four criteria and the\npurchase card program on five criteria. The criteria are described in the paragraphs that follow.\n\n        Internal Controls. Using the criteria identified in the Act and Office of Management\nand Budget (OMB) Circular No. A-123, 5 internal controls were assessed for the travel card and\npurchase card programs. The travel card program was assessed for 28 general controls and 18\ncontrols specific to travel card programs (46 total controls), and the purchase card program was\nassessed for the same 28 general controls and 29 controls specific to purchase card programs (57\ntotal controls). A rating of \xe2\x80\x9clower,\xe2\x80\x9d \xe2\x80\x9cmedium,\xe2\x80\x9d or \xe2\x80\x9chigher\xe2\x80\x9d was assigned based on documented\ncompliance with required controls.\n\n        Training. The travel card and purchase card programs were assigned a rating of \xe2\x80\x9clower,\xe2\x80\x9d\n\xe2\x80\x9cmedium,\xe2\x80\x9d or \xe2\x80\x9chigher\xe2\x80\x9d based on the availability of training and the incorporation of training in\npolicy for each program.\n\n        Previous OIG Audits. Results of previous audits, as well as the statuses of\nimplementation of recommendations, were reviewed for the travel card and purchase card\nprograms. A program that had not been audited was assigned a \xe2\x80\x9chigher\xe2\x80\x9d rating, and the same\nrating was assigned for an audit that had been conducted more than 10 years ago. A \xe2\x80\x9clower\xe2\x80\x9d\n\n3\n  The results of the risk assessment do not preclude OIG from reviewing the Department\xe2\x80\x99s purchase card program\nduring FY 2015 or at any other time.\n4\n  \xe2\x80\x9cEnterprise Risk Management \xe2\x80\x93 Integrated Framework Executive Summary,\xe2\x80\x9d Committee of Sponsoring\nOrganizations of the Treadway Commission, Sept. 2004, and \xe2\x80\x9cRisk Assessment in Practice,\xe2\x80\x9d Deloitte & Touche\nLLP, Oct. 2012.\n5\n  OMB Circular No. A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal Control,\xe2\x80\x9d App. B, \xe2\x80\x9cImproving the\nManagement of Government Charge Card Programs,\xe2\x80\x9d Jan. 15, 2009.\n                                                  2\n                                             UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\nrating was assigned when a program had been recently audited and recommendations had been\nimplemented. A \xe2\x80\x9cmedium\xe2\x80\x9d rating was assigned for programs that had been audited recently but\nfor which recommendations had not been fully implemented. The ratings were mitigated if\ndocumentation of meaningful internal reviews (conducted by the agency) was provided.\n\n        OIG/INV Forensic Audit Observation. Ratings of \xe2\x80\x9clower,\xe2\x80\x9d \xe2\x80\x9cmedium,\xe2\x80\x9d or \xe2\x80\x9chigher\xe2\x80\x9d\nwere assigned to the travel card program and the purchase card program based on input from\nOIG/INV forensic auditors. We met with the OIG/INV forensic audit manager to discuss the\nprogress in using data mining to review travel card and purchase card transactions for the\nDepartment. The information provided by OIG/INV included results of its analyses and\ninterviews with the officials responsible for the travel and purchase card programs. Details\nrelated to each program are described in the Results of Risk Assessment section of this report.\n\n       Violation Reports. Violation reports were considered only for the purchase card\nprogram, as these reports are required when a purchase card program spends more than\n$10 million per year. 6 A rating of \xe2\x80\x9clower\xe2\x80\x9d was assigned if a report was provided and a lower\nnumber of violations had been reported.\n\nImpact and Likelihood\n\nImpact refers to the extent to which a risk event might affect the Department, and likelihood\nrepresents the possibility that a given event might occur. We used the dollars spent in the travel\ncard and purchase card programs to determine an impact rating of \xe2\x80\x9clower,\xe2\x80\x9d \xe2\x80\x9cmedium,\xe2\x80\x9d or\n\xe2\x80\x9chigher\xe2\x80\x9d and the number of cardholders in each program to determine a likelihood rating of\n\xe2\x80\x9clower,\xe2\x80\x9d \xe2\x80\x9cmedium,\xe2\x80\x9d or \xe2\x80\x9chigher.\xe2\x80\x9d The rating criteria are shown in Table 1.\n\n                 Table 1. Impact and Likelihood Ratings\n                       Rating                    Impact                        Likelihood\n                   Lower                Less than $1 million           Fewer than 250 cardholders\n                   Medium               $1 million to $10 million      250 to 500 cardholders\n                   Higher               More than $10 million          More than 500 cardholders\n                  Source: OIG developed based on review of multiple sources, including industry standard\n                  principles for risk management.\n\nThe impact and likelihood ratings were compared to determine a single \xe2\x80\x9cfactor\xe2\x80\x9d that was used in\nthe final overall risk assessment for the travel card and purchase card programs. We plotted the\nimpact and likelihood ratings on a chart known as a \xe2\x80\x9cheat map,\xe2\x80\x9d which depicts the intersections\nof the lower, medium, and higher ratings, to determine a rating for the impact and likelihood\nfactor. The heat map is shown in Table 2.\n\n\n\n\n6\n    OMB M-13-21, \xe2\x80\x9cImplementation of the Government Charge Card Abuse Prevention Act of 2012,\xe2\x80\x9d Sept. 6, 2013.\n                                                    3\n                                               UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n                Table 2. Impact and Likelihood Factor Heat Map\n                                                                      Factor\n                                   Higher          Medium             High        Very High\n                     Impact\n                                   Medium            Low            Medium          High\n                     Rating\n                                   Lower           Very Low           Low          Medium\n                                                    Lower           Medium         Higher\n                                                                Likelihood Rating\n                Source: OIG developed based on review of industry standard principles for risk management.\n\nFinal Risk Assessment\n\nOIG combined the individual criteria ratings to form an overall combined rating and used this\nrating with the impact and likelihood factor to determine the final risk assessments for the\nDepartment\xe2\x80\x99s travel and purchase card programs. Specifically, we used the heat map shown in\nTable 3 to arrive at the overall risk assessment ratings.\n\n                Table 3. Final Assessment Heat Map\n                                                             Final Assessment Rating\n                                   Very High        Medium             High             Very High\n                   Impact and      High             Medium             High             Very High\n                   Likelihood      Medium            Low              Medium               High\n                     Factor        Low             Very Low             Low              Medium\n                                   Very Low        Very Low             Low              Medium\n                                                     Low              Medium               High\n                                                            Combined Criteria Rating\n                 Source: OIG developed based on review of industry standard principles for risk management.\n\n\n                                    Results of Risk Assessment\n\nThe results of the assessment show that the risk of illegal, improper, or erroneous use in the\nDepartment\xe2\x80\x99s travel card program is \xe2\x80\x9cvery high.\xe2\x80\x9d As a result, an audit of the Department\xe2\x80\x99s travel\ncard program has been recommended for inclusion in the OIG FY 2015 annual audit plan. The\nDepartment\xe2\x80\x99s purchase card program was rated \xe2\x80\x9cmedium\xe2\x80\x9d and was not recommended for OIG\naudit consideration for FY 2015; 7 however, OIG suggests that both travel card and purchase card\nprogram managers take appropriate actions to ensure and improve oversight of the programs.\nThe individual program results are described in the sections that follow.\n\nDepartment of State Travel Card\n\n       Criteria Ratings. According to documentation and information provided by the\nDepartment\xe2\x80\x99s travel card office, we determined that travel card program compliance with\nrequired internal controls was generally good\xe2\x80\x93overall 89 percent were in compliance (41 of 46\ncontrols), to include 78 percent in compliance (14 of 18 controls) with travel card-specific\n7\n The results of the risk assessment do not preclude OIG from reviewing the Department\xe2\x80\x99s purchase card program\nduring FY 2015 or at any other time.\n                                                  4\n                                             UNCLASSIFIED\n\x0c                                                UNCLASSIFIED\n\ncontrols, resulting in a rating of \xe2\x80\x9clower\xe2\x80\x9d for this criterion. The availability of training and\nincorporation of training in policy were rated \xe2\x80\x9cmedium\xe2\x80\x9d because the travel card management\nplan was not clear as to how refresher training was provided and/or enforced for cardholders and\nother program participants, which is potentially a significant weakness in ensuring that\ncardholders and other program participants understand the rules and regulations regarding travel\ncard use. The last audit of the travel card program was conducted in 2002 (reported in March\n2003), 8 and although all of the recommendations have since been implemented, the audit\nidentified weaknesses in internal controls and is now more than 10 years old. This resulted in a\nrating of \xe2\x80\x9chigher\xe2\x80\x9d for the prior OIG coverage criterion. Finally, the input from OIG/INV\nforensic auditors and their review of data for the travel card program resulted in the rating of\n\xe2\x80\x9chigher.\xe2\x80\x9d Consequently, these factors significantly influenced the combined rating of \xe2\x80\x9chigh\xe2\x80\x9d for\nthe travel card program. OIG/INV identified multiple areas that warrant closer scrutiny, such as\npayments due from individual cardholders totaling approximately $1 million that were 60 days\ndelinquent (when data was obtained); disciplinary procedures that were implemented\ninconsistently across bureaus (according to interviews with the travel card program manager);\nsplit disbursements 9 that were not being implemented; and the effectiveness, as well as the costs,\nof managing the centrally billed accounts (CBA) that may not justify their high rate of use by the\nDepartment. The individual criteria ratings and overall combined rating are shown in Table 4.\n\n                   Table 4. Criteria Ratings\n                              Criteria                               Rating\n                   Internal Controls                                 Lower\n                   Training                                          Medium\n                   Prior OIG Audits                                  Higher\n                   OIG/INV Input                                     Higher\n                   Combined                                           High\n                   Source: OIG generated based on analysis of information and documentation\n                   as described in the Scope and Methodology section of this report.\n\n        Impact and Likelihood Factor. The Department\xe2\x80\x99s travel card office reported that in\nFY 2013, the Department spent a total of $237 million ($213 million in CBA travel cards and\n$24 million on individually billed accounts (IBA)), which was attributed to 9,081 total\ncardholders (832 CBAs and 8,249 IBAs). The impact and likelihood factor, shown in Table 5,\nraises the significance of the risk associated with the Department\xe2\x80\x99s travel card program.\n\n                  Table 5. Impact and Likelihood Factor\n                                                                          Rating\n                   Impact               $237 million                      Higher\n                   Likelihood           9,081 Cardholders                 Higher\n                   Factor                              Very High\n                   Source: OIG generated based on analysis of information and documentation\n                   as described in the Scope and Methodology section of this report.\n\n\n\n8\n Domestic Travel Card Program (AUD/FM-03-33, March 2003).\n9\n Split disbursements allow for cardholders to have part of their travel vouchers paid directly to the credit card\ncompany. Split disbursements are required by OMB Circular A-123, App. B.\n                                                     5\n                                                UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n         Final Risk Assessment and Recommendation. The final determination of risk of\nillegal, improper, or erroneous use in the Department travel card program was \xe2\x80\x9cvery high.\xe2\x80\x9d As a\nresult, an audit of the Department\xe2\x80\x99s travel card program has been recommended for inclusion in\nthe OIG FY 2015 annual audit plan. OIG also suggests that the travel card program manager\ntake appropriate actions to ensure and improve oversight of the travel card program.\n\nDepartment of State Purchase Card\n\n        Criteria Ratings. According to documentation and information provided by the\nDepartment\xe2\x80\x99s purchase card office, OIG determined that program compliance with required\ninternal controls was generally good\xe2\x80\x94overall 95 percent were in compliance (54 of 57 controls),\nto include 93 percent in compliance (27 of 29 controls) with purchase card-specific controls,\nresulting in a rating of \xe2\x80\x9clower\xe2\x80\x9d for this criterion. The availability of training and the\nincorporation of training in Department policy for the purchase card program were rated \xe2\x80\x9clower\xe2\x80\x9d\nbecause the purchase card office, in coordination with the Foreign Service Institute, had\ndeveloped specialized training for various participants in the program and it requires training for\napplicable cardholders every 3 years. The last audit of the purchase card program was conducted\nin 2009-2010 (reported in September 2010), 10 and one recommendation remained in the\n\xe2\x80\x9cresolved\xe2\x80\x9d status. However, the Department provided documentation of internal reviews that\nwere conducted that mitigated the risk and resulted in a rating of \xe2\x80\x9clower\xe2\x80\x9d for the prior audit\ncriterion. The input from OIG/INV forensic auditors and their review of data for the purchase\ncard program included questionable purchases and concerns that controls at overseas posts might\nnot be followed, which resulted in a rating of \xe2\x80\x9chigher\xe2\x80\x9d for this criterion. Finally, the Department\nmet the criteria and reported on violations as required, resulting in a \xe2\x80\x9clower\xe2\x80\x9d rating. The report\nincluded information from OIG on eight violations in various steps in the resolution process,\nincluding adverse personnel actions and pending hearings. The individual criteria ratings and\noverall combined rating are shown in Table 6.\n\n                    Table 6. Criteria Ratings\n                               Criteria                           Rating\n                    Internal Controls                             Lower\n                    Training                                      Lower\n                    Prior OIG Audits                              Lower\n                    OIG/INV Input                                 Higher\n                    Violation Report                              Lower\n                    Combined                                       Low\n                    Source: OIG generated based on analysis of information and documentation\n                    as described in the Scope and Methodology section of this report.\n\n       Impact and Likelihood Factor. The Department\xe2\x80\x99s purchase card office reported that in\nFY 2013, the Department spent $98.5 million, which was attributed to 1,563 cardholders. The\nimpact and likelihood factor, shown in Table 7, raised the significance of the risk associated with\nthe Department\xe2\x80\x99s purchase card program to \xe2\x80\x9cvery high.\xe2\x80\x9d\n\n\n\n10\n     Audit of Department of State Purchase Card Domestic Use (AUD/SI-10-31, Sept. 2010).\n                                                   6\n                                              UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n                 Table 7. Impact and Likelihood Factor\n                                                                       Rating\n                  Impact              $98.5 million                    Higher\n                  Likelihood          1,563 cardholders                Higher\n                  Factor                              Very High\n                  Source: OIG generated based on analysis of information and documentation\n                  as described in the Scope and Methodology section of this report.\n\n        Final Risk Assessment. The final determination of risk of illegal, improper, or\nerroneous use in the Department\xe2\x80\x99s purchase card program was \xe2\x80\x9cmedium.\xe2\x80\x9d An audit of the\nDepartment\xe2\x80\x99s purchase card program was not recommended for inclusion in the OIG FY 2015\nannual audit plan; 11 however, OIG suggests that the purchase card program manager take\nappropriate actions to ensure and improve oversight of the program. The OIG FY 2014 risk\nassessment will carefully consider the progress of OIG/INV forensic auditors\xe2\x80\x99 data mining\nefforts and the status of implementation of the outstanding OIG audit recommendation.\n\n This report was provided for informational purposes, and a response is not required. OIG\n appreciates the cooperation and assistance provided by your staff during this risk assessment. If\n you have any questions please contact me, Assistant Inspector General for Audits, by email at\n[Redacted] (b) (6)                                                                [Redacted] (b) (6)\n                   @state.gov or Melinda M. Perez, Division Director, by email at                    @state.gov.\n\ncc: A/LM/AQM/BOD \xe2\x80\x93 Margaret Colaianni\n    CGFS/F \xe2\x80\x93 Wayne A. McMillan\n    CGFS/F \xe2\x80\x93 Carla R. Henson\n    CGFS/OMA/FCR \xe2\x80\x93 Paul McVicker\n\n\n\n\n11\n  The results of the risk assessment do not preclude OIG from reviewing the Department\xe2\x80\x99s purchase card program\nduring FY 2015 or at any other time.\n                                                   7\n                                              UNCLASSIFIED\n\x0c'